Vulnarex | Elite Cybersecurity Learning Platform

#Full-Disk Encryption Is Useless Without a Firmware Lock#link

FileVault 2 encrypts your entire disk with XTS-AES 128, but an attacker with physical access can boot from an external drive, modify system files, or even disable SIP if no firmware password is set. This lesson covers enabling and escrowing FileVault, setting a firmware password that prevents alternate boot modes, and understanding the recovery key lifecycle—so a stolen Mac is truly a brick.

Enabling FileVault and Escrowing the Recovery Key

FileVault is enabled via System Preferences → Security & Privacy → FileVault. For enterprise, push a configuration profile that escrows the personal recovery key to an MDM server. The 'Institutional Recovery Key' method uses a public/private key pair to unlock the volume, which is safer than a static recovery key. Check status with fdesetup status. Ensure all user accounts are enabled for unlocking.

Check FileVault status and list unlocking users

root@vulnarex:~#sudo fdesetup status && sudo fdesetup list

The list shows which users can unlock the disk. It's important to have a local admin account as a backup unlocker, separate from the daily driver.

bash

# Use a institutional recovery key (requires generating a keychain)
# First, create a master keychain and certificate; then:
sudo security add-certificates -k /Library/Keychains/FileVaultMaster.keychain /path/to/cert.cer
sudo fdesetup enable -inputplist < institutional.plist

Firmware Password: Protecting the Pre-Boot Environment

Setting a firmware password on Intel Macs prevents booting from alternate media, entering Recovery without password, or resetting NVRAM. On Apple Silicon, the equivalent is the Recovery Lock, set via MDM or Apple Configurator. Without it, an attacker can boot into Recovery, disable SIP, and mount the FileVault volume if they have a user account password. The firmware password complements FileVault and SIP.

info

💡 For Apple Silicon, the 'Startup Security Utility' in Recovery allows setting a firmware password. In enterprise, it's managed via MDM with the 'Set Firmware Password' command.

Protection	Intel Mac	Apple Silicon	What It Prevents
Firmware password	Yes, via Recovery	Recovery Lock via MDM	Alternate boot, Recovery without pass
FileVault encryption	Same	Same	Data access without user password/recovery key
SIP	csrutil in Recovery	Same (csrutil)	System file modification

Recovery Key Management and Brute-Force Protection

FileVault recovery keys must be stored securely (MDM, enterprise password manager). There is a built-in brute-force delay: after incorrect password attempts, the system imposes increasing delays. For higher security, consider using a smart card (PIV) for pre-boot authentication. Ensure the recovery key is accessible even if the MDM is unavailable, to prevent total lockout.

▪Enable FileVault on all Macs; escrow recovery key to MDM.
▪Set a firmware password (Intel) or enforce Recovery Lock (Apple Silicon) via MDM.
▪Verify that at least two local accounts can unlock the disk.
▪Test recovery process: reboot, attempt to enter wrong password, use recovery key to unlock.

STRICT SECURE AUDIT RULE

⚠️ If FileVault is enabled and you lose all recovery keys and user passwords, the data is irrecoverable. Escrow multiple recovery options and test recovery annually.

quiz BLOCK (★ 50 XP)

An attacker has physical possession of a powered-off Mac with FileVault and a firmware password set. What prevents them from accessing the data?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

FileVault + Firmware Lab